Which statement describes the difference between containment and eradication?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Study for the SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Test. Prepare with comprehensive materials, flashcards, and multiple choice questions with hints and explanations. Ace your exam with confidence!

Multiple Choice

Which statement describes the difference between containment and eradication?

Explanation:
Containment aims to stop the incident from spreading while keeping enough data intact for investigation, whereas eradication means removing the threat itself and all associated artifacts from the environment. When you contain, you might isolate affected systems, segment networks, and block attacker activity to prevent new hosts from being compromised, all while preserving logs, memory dumps, and other evidence for forensic analysis. Eradication goes beyond containment by actually removing the malicious code and persistence mechanisms, cleaning up artifacts, applying patches or configurations to prevent reinfection, and then verifying that no traces remain. This makes the statement the best choice because it clearly links containment to limiting spread and preserving evidence, and it ties eradication to removing the threat and artifacts. The other options lack or reverse these nuances—for example, they may omit the spread-limiting aspect, or imply containment and eradication are the same, or say the opposite of what each term does.

Containment aims to stop the incident from spreading while keeping enough data intact for investigation, whereas eradication means removing the threat itself and all associated artifacts from the environment. When you contain, you might isolate affected systems, segment networks, and block attacker activity to prevent new hosts from being compromised, all while preserving logs, memory dumps, and other evidence for forensic analysis. Eradication goes beyond containment by actually removing the malicious code and persistence mechanisms, cleaning up artifacts, applying patches or configurations to prevent reinfection, and then verifying that no traces remain.

This makes the statement the best choice because it clearly links containment to limiting spread and preserving evidence, and it ties eradication to removing the threat and artifacts. The other options lack or reverse these nuances—for example, they may omit the spread-limiting aspect, or imply containment and eradication are the same, or say the opposite of what each term does.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy